Securing Internet-of-Medical-Things networks using cancellable ECG recognition

Reinforcement of the Internet of Medical Things (IoMT) network security has become extremely significant as these networks enable both patients and healthcare providers to communicate with each other by exchanging medical signals, data, and vital reports in a safe way. To ensure the safe transmission of sensitive information, robust and secure access mechanisms are paramount. Vulnerabilities in these networks, particularly at the access points, could expose patients to significant risks. Among the possible security measures, biometric authentication is becoming a more feasible choice, with a focus on leveraging regularly-monitored biomedical signals like Electrocardiogram (ECG) signals due to their unique characteristics. A notable challenge within all biometric authentication systems is the risk of losing original biometric traits, if hackers successfully compromise the biometric template storage space. Current research endorses replacement of the original biometrics used in access control with cancellable templates. These are produced using encryption or non-invertible transformation, which improves security by enabling the biometric templates to be changed in case an unwanted access is detected. This study presents a comprehensive framework for ECG-based recognition with cancellable templates. This framework may be used for accessing IoMT networks. An innovative methodology is introduced through non-invertible modification of ECG signals using blind signal separation and lightweight encryption. The basic idea here depends on the assumption that if the ECG signal and an auxiliary audio signal for the same person are subjected to a separation algorithm, the algorithm will yield two uncorrelated components through the minimization of a correlation cost function. Hence, the obtained outputs from the separation algorithm will be distorted versions of the ECG as well as the audio signals. The distorted versions of the ECG signals can be treated with a lightweight encryption stage and used as cancellable templates. Security enhancement is achieved through the utilization of the lightweight encryption stage based on a user-specific pattern and XOR operation, thereby reducing the processing burden associated with conventional encryption methods. The proposed framework efficacy is demonstrated through its application on the ECG-ID and MIT-BIH datasets, yielding promising results. The experimental evaluation reveals an Equal Error Rate (EER) of 0.134 on the ECG-ID dataset and 0.4 on the MIT-BIH dataset, alongside an exceptionally large Area under the Receiver Operating Characteristic curve (AROC) of 99.96% for both datasets. These results underscore the framework potential in securing IoMT networks through cancellable biometrics, offering a hybrid security model that combines the strengths of non-invertible transformations and lightweight encryption.

pinpoint its potential restrictions or disadvantages as well.The efficacy and generalizability of this system have not yet been thoroughly assessed.
For patients, it makes sense to benefit from cancellable biometrics' recent growth in IoMT applications for access control.For patients to deal with IoMT applications, the best biometric traits are the ECG signals, which are continuously monitored.The two main tools for the development of cancellable biometric systems, namely non-invertible transforms and biometric encryption, are not adequate on their own, because they are susceptible to specific kinds of attacks.Combining them can raise the cancellable templates' level of security, as this paper reveals.Avoiding excessive complexity in the combination process is an essential requirement that must be taken into account.For this reason, lightweight encryption is used, and a signal separation algorithm is implemented as a non-invertible transform.The rationale behind the utilization of signal separation is its ability to give two low-correlation signal components from two signals having some sort of correlation.As a result, if we begin operation with an ECG signal and an auxiliary audio signal for the same person, with some sort of correlation of any level, the two resultant signals after separation will be of minimal correlation.In other words, the two resultant signals after separation can be considered as distorted signals that depend in their origin on the ECG signal used.One of these distorted signals can be used as a cancellable template for the user.The combination of lightweight encryption and blind signal separation improves security effectiveness of original cancellable templates.
Consequently, the motivations behind this work are: • To create a more secure biometric recognition framework for IoMT applications.Cancellable biometric systems generate a new biometric template for every authentication request, thereby mitigating the vulnerability of traditional biometric systems to attacks.• To preserve patients' private information.Biometric data is further safeguarded by cancellable biometric systems, which ensure that biometric data cannot be reverse engineered to reveal the original biometric features.• To improve the authentication efficacy in IoMT applications.Traditional biometric systems require a centralized database storage of biometric data with certain precautions to safeguard original biometrics , which may be expensive and time-consuming to maintain.In contrast, cancellable biometric systems do not require these precautions, because it is possible to create new templates in case of compromise.• To investigate the possibility of using lightweight encryption in conjunction with a 2 × 2 blind signal separation module for cancellable biometric recognition.Although this framework is thoroughly studied in the context of IoMT applications, it may be adopted on a large scale.• To develop a framework that can be applied to real-world IoMT applications, such as remote health monitoring and patient identification.
This paper presents a cancellable ECG recognition framework that starts at the ECG acquisition stage.In order to produce a non-invertible dynamic range modification in the ECG signals, a 2 × 2 blind signal separation module is applied to each ECG biometric signal with an audio signal in order to obtain two distorted outputs with minimal correlation.This process leads to templates with distortions that cannot be reverted.Next, a straightforward XOR encryption step is applied using a key that is unique to each patient.This step raises the users' degree of privacy.Every user has an easy way to choose his key.Furthermore, his original ECG biometric is not saved in the system database.The user can quickly alter the key he has chosen or the audio signal that the separation algorithm begins with in case of compromise.
This paper main contribution is a trustworthy framework for authentication in addition to ensuring aliveness of patients in IoMT networks.By creating cancellable biometric templates that are non-invertible, the biometric recognition framework will be more resilient to attempts of tampering or theft of original biometrics.Generally, a cancellable biometric system is a system that depends on generating distorted, modified versions of the biometric data in a non-invertible way.There should be no information provided about the actual biometric traits by this one-way transformation.By comparing the new user's transformed or distorted template with the distorted templates kept in the database, the authenticity of the user can be verified.
The main contributions of this work are: • Providing innovative a cancellable biometric recognition framework based on a 2 × 2 blind signal separation module that is applied to ECG and audio signals, as well as a lightweight encryption algorithm.This framework is recommended for IoMT applications.• Creating user-specific patterns for lightweight encryption using XOR operation to increase security of biometric traits.The lightweight encryption algorithm is intended to reduce the system processing and storage requirements, making it appropriate for IoMT devices with limited resources.• By creating cancellable biometric templates that can be used for authentication without subjecting the original biometric data to breaches, the proposed framework provides an excellent degree of security and privacy.• Several ECG databases are used to assess the suggested framework, and results demonstrate that it maintains high degrees of security and privacy, while achieving high recognition accuracy and low computational cost.
Lastly, the proposed framework is compared to previously-published studies that made use of the same datasets.The results show that the proposed framework performs better in terms of authentication accuracy than other previous counterparts.The main advantage of this work is that the sophisticated signal separation module induces the required level of distortion in cancellable templates without large complexity.Moreover, the lightweight encryption adds to the degree of security of templates, while keeping the high ability to identify users.

Related work
Numerous studies on person identification using ECG signals have been published in the literature.An algorithm for person identification based on ECG signals was introduced by Lee and Kwak 17 .Principal component analysis and Eigen value decomposition were the main tools of their work.The robustness of this algorithm to noise effects has been verified.The authors obtained a 98.25% classification accuracy.
An ECG-based identification method based on sparse feature representations was presented by Huang et al. 18 .In an overall optimization framework, users' sparse feature patterns are subjected to similarity tests.In the recognition process, a regularization problem and a set of constraints are considered.The purpose of this method was to provide authentication for access to embedded smartphone applications.Its relative complexity stems from the requirement to solve an optimization problem and perform Eigen decomposition of matrices.
Furthermore, ECG-based identification was presented by Barros et al. 19 with pre-processing steps before the identification process.In order to concentrate on the most representative ECG features for identification, pre-processing steps, such as outlier removal, QRS complex segmentation, and noise reduction, were carried out on three-second signal segments.Twenty-two features were included in the identification process.Using the PhysioNet Computing in Cardiology 2018 dataset, the authors validated their approach using Random Forest (RF) classifier 20 .On 1500 subjects, this work showed a 92% precision and an 80% accuracy on 1200 subjects.
Finger veins and ECG signals were combined by Su et al. 21for human identification.Discriminant Correlation Analysis (DCA) and Canonical Correlation Analysis (CCA) were employed for fusion of the features extracted from each database.This model achieved an EER of 0.144%.This multi-modal approach did better in terms of security and recognition accuracy than the two independent unimodal implementations.
Another methodology for human authentication based on ECG readings from two finger electrodes connected to a smartphone application was presented by Zhang et al. 22 .They chose fiducial feature extraction and used the Discrete Cosine Transform (DCT) to reduce the dimensionality of the features due to its energy compaction property.To evaluate the performance of the model, they employed Support Vector Machines (SVMs) and Neural Networks (NNs).They achieved accuracy levels up to 97.6% and 96.6%, respectively.This model requires 4 s for authentication and 20 s to register a new user.
Hammad et al. 23 proposed two methods to build an ECG-based cancellable biometric system.They recommended improved matrix manipulation and bio-hashing techniques.Feature vector generation and coding are typically performed with bio-hashing to create irreversible binary codes.However, the matrix manipulation method includes operations like mixing, matrix inversion, row and column permutations, and more.In their work, the authors first extracted the ECG features using the Pan-Tompkins technique, and then utilized an ANN for authentication.Their methods achieved EER values of 0.20 and 0.06.
A cancellable ECG biometric recognition system based on a Generalized Likelihood Ratio Test (GLRT) with randomly-selected hypothesis testing was proposed by Kim et al. 24 .Additionally, they suggested utilization of Guided Filtering (GF) to transform the ECG templates in an irreversible way.Finally, they evaluated the system on the ECG-ID database.It performed better than the conventional Euclidean detector, with a performance index of 94.3%.
An ECG-based human authentication system based on generalized S-transformation and Convolutional Neural Networks (CNNs) was presented by Zhao et al. 25 .To acquire the trajectories of ECG signals in the form of images, the signal segments are first blindly processed with the S-transform.In order to further identify the authorized users, these trajectories are subsequently fed into a CNN as input images.Three distinct databases of clean and noisy ECG signals were considered in the evaluation process.Up to 96.6% accuracy levels were attained in this work.
A wearable sensor prototype was developed by Blasco et al. 26 to collect ECG, PPG, and Galvanic Skin Response (GSR) signals in order to establish a multi-modal biometric system for user authentication.After filtering, each signal is divided into 2-s windows.Ninety-six coefficients are recovered using the PPG and ECG windows (sixty-four from the Fourier transform and sixty-four from the Walsh-Hadamard transform), however, four statistical features are retrieved from the GSR window.The density estimation classifier that the authors used is based on the Gaussian model, and it produced results of 0.99 for AROC and 0.02 for Equal Error Rate (EER).
ECG and audio signals were integrated by Bugdol et al. 27 to create a behavior-based biometric system.The foundation of this system is the measurement of human responses to the stimuli.The ECG signal R-R distance between consecutive R peaks and the voice-extracted Mel-Frequency Cepstral Coefficients (MFCCs) are used as the multi-modal system discriminant features.The system was evaluated using KNN and NN classifiers, with average accuracies of 75% and 77%, respectively.An overview of previously-published research that is closely relevant to the subject is shown in Table 1.
Generally, most cancellable biometric recognition systems produce acceptable results from the privacy and security perspectives.However, there are some obvious drawbacks that encourage the development of a new systems.Some of these drawbacks are listed below: • There is a chance that the cancellable biometric recognition systems that are currently in use do not offer enough security, which puts users at the risk for identity theft, illegal access, and data breaches.Consequently, the relatively high complexity of segmentation and classification algorithms is a feature of most of the available ECG identification systems, whether cancellable or open.The patients require an interactive system to control the basic acquisition and ECG signal encryption or deformation method in order to access the IoMT networks.Furthermore, for these tasks to be carried out automatically without the need for user intervention, a hardware implementation is necessary.The user's only rule is to set a unique identifier that can be changed in case of hacking.That is what we will introduce in the following parts, together with the details of the proposed framework, its analysis and comments, and its superior performance compared to previous relevant studies.

Proposed cancellable ECG recognition framework
The suggested framework for developing cancellable ECG templates is presented in this section.The ability to create cancellable templates from original ones that cannot be utilized to retrieve the original templates again is the most important feature of a cancellable biometric system.In this method, the user's privacy is protected.The ability to modify the cancellable templates in hacking scenarios is a crucial and requested functionality.Two more essential requirements are high classification accuracy and ease of implementation.
The suggested framework has a hybrid design.As illustrated in Fig. 1, it is composed of a signal deformation stage based on blind signal separation and lightweight encryption represented by binary XOR with a userspecific key.This framework aims to improve privacy by using low-cost, lightweight encryption, while rendering biometric templates non-invertible.
The 2 × 2 blind signal separation algorithm is used with two inputs, namely the ECG signal and an auxiliary audio signal.The basic idea of signal separation is to produce two signals that are uncorrelated from the two signals that have some sort of correlation.This guarantees an appropriate level of distortion to hide the significant features of the original ECG signals.Additionally, the utilization of a user-specific secret key with the same length as that of the ECG signal to be XORed with the signal supports lightweight encryption for more hiding of the signal details.The suggested framework provides secure cancellable ECG templates that can be used to access IoMT networks.
The following steps illustrate the suggested framework methodology: 1. Acquire a 1-D biometric ECG signal for the patient.
2. Acquire a 1-D audio signal for the same patient.
3. Verify that the lengths of the two signals are equal.4. Create the updated ECG template using a blind signal separation algorithm between the ECG signal and the auxiliary audio signal.5. Apply a binarization process to one of the two outputs of the separation process.6. Perform XOR operation using a user-specific key with the obtained binary vector to produce the cancellable template.
System mismatch or ambient noise may have an impact on the ECG signals during the acquisition procedure.Consequently, it is recommended to remove the noise before proceeding to additional processing phases.However, in order to work on real settings, the performance of the proposed framework is tested with noisy signals at different SNRs.Additive White Gaussian Noise (AWGN) is investigated as the noise affecting the signals with an SNR of 10 dB.
The essential stage of the proposed framework is blind signal separation.It primarily addresses mixed signals, which are common in everyday life.Unwanted signals are commonly combined with signals of interest in real life.The development of blind signal separation algorithms has been spurred by this fact.The term "blind" refers to the lack of prior knowledge regarding the sources and mixed signals.Here, we use a 2 × 2 signal separation system.Its foundation is the application of output decorrelation as the criterion for signal separation.The mathematical model of the signal separation algorithm is discussed below assuming two convolutive mixtures are available 28,29 .This algorithm will be exploited with the ECG signal and the auxiliary audio signal as inputs.Our objective here is merely making use of the signal decorrelation concept to obtain distorted ECG signals that can be used as cancellable templates.www.nature.com/scientificreports/If there are two signal sources s 1 (k) , s 2 (k) and two observations x 1 (k) , x 2 (k) in a 2 × 2 Linear Time Invariant (LTI) system, it is assumed that the source signals are statistically independent with zero mean 30 .The following equations represent the observations, which are considered to be convolutive sums of the sources as seen in Fig. 2.
In matrix form, we have: where h T ij = h ij (0), . . ..., h ij p . and h ij is a representation of the impulse response from source j to sensor i , and the filter order is denoted by p .For simplicity, the source signals are assumed to be zero-mean and statistically independent.It is evident from Eqs. 1 and 2 that in the presence of noise, the mixtures are convolutive sums of sources.Assuming that the signals arrive at the sensors unfiltered, that is the problem is simplified by setting h 11 = h 22 = 1.
s 1 (k) and s 2 (k) are the actual source signals, and h ij are the true impulse responses of sources to sensors.s ′ i (k) is then the signal as observed by the i th sensor.It is assumed that H ii (z) = 1 , and thus s ′ i (k) = s i (k), and H ′ ij (z) = H ij (z) .In the case of interest, H ii (z) = 1 , and hence Eq. 5 can be simplified to: Finding the signals y 1 (k) and y 2 (k) from x 1 (k) and x 2 (k) is the target of blind signal separation.We can presume that: where then The result of substituting Eq. 7 into Eq.9 is: Finding appropriate W i (z) such that Y 1 (z) and Y 2 (z) each contains either S 1 (z) or S 2 (z) only is the blind signal separation task.

Iterative separation algorithm
This section presents an iterative separation algorithm for the 2 × 2 convolutive system in the time domain.As shown in Fig. 3, using q + 1 tap Finite Impulse Response (FIR) filters, the separation algorithm minimizes the output cross-correlations for an arbitrary number of lags 30 .
Finding suitable W 1 (z) and W 2 (z) such that Y 1 (z) and Y 2 (z) each contains only either S 1 (z) or S 2 (z) is the solution for the problem, according to Eq. 9. Given stationary, zero-mean, independent random signals s 1 (k) and s 2 (k) , their cross-correlation is equal to zero, which means that: The cross-correlation of y 1 (k) and y 2 (k) should also be zero if y 1 (k) and y 2 (k) each includes components of either s 1 (k) or s 2 (k) , only.Hence, www.nature.com/scientificreports/Substituting from Eq. 8 into Eq.12 yields: where ] is a q + 1 × q + 1 matrix representing the cross-correlation of x 2 and x 1 .
The sum of the squares of the cross-correlation elements determines the cost function C as: where C can also be written as in Eq. 16, and l 1 and l 2 are selected cross-correlation lags.
When the rate of change of the derivative in Eq. 20 is smaller than a pre-set threshold, such as 0.01%, convergence is reached, and w 1 and w 2 can be determined by iterating between the two equations.We then get a set of outputs, y 1 (k) and y 2 (k) , by estimating w 1 and w 2 .Only s 1 (k) or s 2 (k) is present in each output 30 .Fig. 4 shows the weight optimization process.

Algorithm steps
1.The cross-correlation matrices Q − x 1 x 1 and Q + x 2 x 2 are initialized.2. The matrices ψ 1 and ψ 2 are constructed.3. The weights w 1 and w 2 are updated.4. Convergence is checked.5. Iterative update of weights w 1 and w 2 continues until the cost function C is minimized and convergence occurs.6.The weights w 1 and w 2 at which convergence occurs are selected as the optimum weights.7. Since optimum weights w 1 and w 2 are obtained, the outputs y 1 (k) and y 2 (k) can be obtained.8.The cancellable template is selected as either y 1 (k) or y 2 (k).

Experiments ECG datasets
In this work, two public and accessible ECG datasets were used to assess the efficacy of the proposed cancellable biometric recognition framework based on ECG signals: ECG-ID [31][32][33] , and MIT-BIH [34][35][36][37] .Using a single-lead ECG sensor, 310 ECG records for 90 people (46 women and 44 men) have been acquired to constitute the ECG-ID dataset.Every record is 20-s long and has a 12-bit resolution with a sampling rate of 500 Hz.A few demographic details, including age, gender, and the recording date, are also included in the dataset.There are 48 two-channel ECG recordings in the MIT-BIH dataset, each lasting for 30 min.The recordings are for 47 different persons with a 11-bit resolution and a sampling rate of 360 Hz for each channel.

ECG signal acquisition
The first step is to obtain the required ECG signal using non-invasive electrodes.

Production of cancellable ECG templates
Non-invertible cancellable ECG templates are generated based on blind signal separation with the help of an auxiliary audio signal, which induces some sort of distortion into the signals.We also use lightweight encryption with XOR operation and user-specific keys to enhance the level of security.

Classification and verification processes
Based on the correlation score between the query and the biometric templates stored in the database, matching scores are obtained.The matching sores are used for user verification.A significant degree of similarity between two templates is indicated by a high correlation score.We first generate genuine and imposter correlation distributions, which allows us to set a threshold for discrimination and determine the EER value.High security is indicated by the low EER.The similarity correlation sore between a new query template and the stored ones is

Evaluation and results
This section presents the evaluation of the proposed framework using two essential metrics.The first metric is the correlation score, which determines the degree of similarity between a new cancellable template and the ones stored in the database, according to the following relation: where C v is the covariance between the database-stored cancellable ECG template, represented by x , and the new cancellable template during the authentication step, represented by y .σ x and σ y are the standard deviations of the templates.The second metric is the AROC.It represents the effectiveness of the authentication system [38][39][40] .The ROC curve is obtained by plotting the False Positive Rate (FPR) versus the True Positive Rate (TPR).The TPR is the system sensitivity indicator that shows the likelihood of correctly-classified states.The probability of incorrectly rejecting states is measured by the FPR.The following formulas are used to represent TPR and FPR 40 : The correlation scores for approved encrypted biometrics for genuine users are displayed in Fig. 6.Comparably, the correlation scores for impostor biometrics are shown in Fig. 7.The results show that all correlation values for genuine users are larger than 0.95, whereas those for imposters are less than 0.05.As a result, it is easy to set a threshold value in the range of 0.05 to 0.95 to distinguish between biometrics of genuine users and those of imposters.This ensures that the suggested framework has a high level of security.
To give more credibility to the results, Fig. 8 displays the genuine and imposter probability distributions, ensuring low EER values.In addition, Fig. 9 shows the ROC curves of the proposed framework on the two datasets revealing high AROC values.Moreover, the original and cancellable ECG templates are shown in Fig. 10, ensuring dissimilarity between the templates.
A comparison between the proposed cancellable biometric recognition framework and other systems is presented in Table 2.This table shows the performance of the proposed framework at an SNR of 10 dB.The

Conclusions and future work
This research presented a new cancellable biometric recognition framework that utilizes unique ECG signals to secure the IoMT network access process.The methodology adopted herein combines blind signal separation with lightweight encryption.It guarantees balancing between security demands and operational efficiency.Such a balance is critical in healthcare contexts, where the immediacy of access to medical data must not compromise the integrity and confidentiality of patient information.Moreover, the practicality of our solution, characterized by its adaptability to mobile hardware, paves the way for broader adoption and integration into existing IoMT ecosystems.It underscores the potential for cancellable biometric frameworks to evolve beyond traditional security mechanisms, offering a dual advantage of enhanced security and user-centric design.This research, therefore, not only addresses current security challenges within IoMT networks but also anticipates the future needs of the new healthcare landscape.In doing so, it invites a paradigm shift in how security is conceptualized and implemented in medical technology, advocating for solutions that are both technologically advanced and deeply attuned to the human aspects of healthcare delivery.Our findings demonstrate that this framework offers a high degree of security, evidenced by low EER and high AROC values.These promising outcomes give a rich avenue for exploration, particularly in the development of more sophisticated algorithms and the exploration of other biometric modalities, to further refine and enhance the security and usability of IoMT systems.As we look forward, it is imperative that the research community continues to innovate and collaborate in developing security solutions that not only protect but also empower patients and healthcare providers in the digital age.

Figure 5
Figure 5 illustrates the proposed IoMT network access framework based on ECG signals.Its main steps are summarized as follows: a. Acquire of ECG signals.b.Create distorted ECG templates through blind signal separation with an auxiliary audio signal for the same person and XOR encryption operation.These templates are either stored in a database or used for authentication.c.Use a correlation metric to verify user identity.

Figure 5 .
Figure 5. Flowchart of the proposed framework for IoMT networks access.

Figure 6 .
Figure 6.Correlations of approved ECG biometrics: (a) for the ECG-ID dataset and (b) for the MIT-BIH dataset.

Figure 7 .
Figure 7. Correlation scores for imposters: (a) for the ECG-ID dataset and (b) for the MIT-BIH dataset.

Figure 8 .
Figure 8. Genuine and imposter distributions of the proposed cancellable ECG recognition framework: (a) for the ECG-ID dataset, and (b) for the MIT-BIH dataset.
The usefulness and adoption of certain cancellable biometric recognition systems are restricted, because they are neither universally scalable nor adaptable to various devices or systems.•Users may experience inconvenience or frustration due to cancellable biometric recognition systems' inconsistent accuracy or speed.• Usability problems might arise from unclear or difficult-to-use cancellable biometric recognition systems.

Table 1 .
Overview of the relevant works.
Flowchart of weight optimization for blind signal separation.Preprocessing of ECG signalsSystem mismatch or ambient noise may have an impact on the ECG signals during acquisition.A digital notch filter can be implemented to eliminate power line interference.

Table 2 .
Comparison of the proposed framework with other previous systems.